Public alpha. Stripe Live in ~2 weeks. → Get on the launch list
SecurityFor your compliance team

For your compliance team

Status: stub. Day 5 deliverable. (Designed to be forwarded by an engineer who is evaluating WOS to their CCO / risk officer / vendor management — written in technically precise English, not enterprise brochure-speak.)

This page exists because in regulated industries the user is a developer but the signer is often a compliance officer. The following is what the compliance team needs to evaluate WOS as a vendor — not a marketing pitch, but a checklist they can paste into their existing process.

Vendor identity

  • Legal entity: WOS Inc.
  • Country of incorporation: (populated when the corporate banking process completes — see launch list at /)
  • Incident response window: security@worker-os.com, PGP key fingerprint (published in /security/disclosure), 24h initial response, 72h written postmortem for any P1 incident.

Data handling

  • Data residency: Cloudflare Workers + R2 + D1, multi-region by default. Specific-region pinning is on the Year-1 roadmap.
  • PII surface: WOS does not store applicant PII beyond what the customer explicitly puts in the decision input. The audit log retains the input bytes verbatim by design — set audit.retention_days to your regulator’s minimum.
  • Encryption: in transit (TLS 1.3 only at the L−1 edge), at rest (Cloudflare-managed AES-256), Ed25519 signing keys held Shamir 3-of-5 across four jurisdictions + cross-cloud HSM.

Audit posture

  • Every decision is reconstructible from the input + the policy hash + the published Core Team key. Verify procedure at /security/verification.
  • The Merkle root is anchored to the Bitcoin chain daily via OpenTimestamps. Tampering with the audit log is detectable from block height alone.
  • Continuous Data Room: every L4 (human override) is logged with the override reason, signed, and counted against a public budget.

Standards & certifications

  • SOC 2 Type II: in progress, target Year 1. Single-vendor infrastructure narrative (Cloudflare) intentional to keep audit scope tight.
  • ISO 27001: evaluating, Year 2 target.

Contractual

Apache-2.0 OSS for the CLI; commercial subscription terms for the control plane. Sample MSA + DPA available on request to legal@worker-os.com.

Verifying artifactsResponsible disclosure